Re: Linux 5.15.205
From: Massimiliano Pellizzer
Date: Fri May 08 2026 - 10:07:53 EST
On Fri, May 8, 2026 at 3:50 PM gregkh@xxxxxxxxxxxxxxxxxxx
<gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On Fri, May 08, 2026 at 03:13:51PM +0200, Massimiliano Pellizzer wrote:
> > On Fri, May 8, 2026 at 2:44 PM gregkh@xxxxxxxxxxxxxxxxxxx
> > <gregkh@xxxxxxxxxxxxxxxxxxx> wrote:
> > >
> > > On Fri, May 08, 2026 at 12:05:02PM +0000, Dominik Grzegorzek wrote:
> > > > Hi,
> > > >
> > > > I may be mistaken, but I think there might be a small typo in this hunk in net/ipv4/ip_output.c:
> > > >
> > > > skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> > > >
> > > > Would this need to be:
> > > >
> > > > skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
> > > >
> > > > My understanding is that SKBFL_SHARED_FRAG is a bit in skb_shared_info->flags, and skb_has_shared_frag() checks skb_shinfo(skb)->flags.
> > >
> > > Adding Ben who did the 5.10 backport so he can comment on this.
> > >
> > > thanks,
> > >
> > > greg k-h
> > >
> >
> > Hi,
> >
> > The new released kernel 5.15.205 is still vulnerable to CVE-2026-43284.
> >
> > ```
> > $ ./run.sh
> > === Stage 1 — overwrite 'systemd-timesync' line (89 bytes) with
> > 'sick::0:0:<pad>:/:/bin/bash'
> > === Stage 2 — verify
> > sick::0:0:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:/:/bin/bash
> > === Stage 3 — su - sick (empty password via PAM nullok)
> > [i] state saved to /var/tmp/.cf2.state — run './run.sh --clean' to revert
> > # uname -r
> > 5.15.205
> > ```
> >
>
> Does the patch below fix this up?
>
> thanks,
>
> greg k-h
>
> ------------------
>
>
> diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
> index 68509e1f89b5..5d8f8a5901bc 100644
> --- a/net/ipv4/ip_output.c
> +++ b/net/ipv4/ip_output.c
> @@ -1443,7 +1443,7 @@ ssize_t ip_append_page(struct sock *sk, struct flowi4 *fl4, struct page *page,
> goto error;
> }
>
> - skb_shinfo(skb)->tx_flags |= SKBFL_SHARED_FRAG;
> + skb_shinfo(skb)->flags |= SKBFL_SHARED_FRAG;
>
> if (skb->ip_summed == CHECKSUM_NONE) {
> __wsum csum;
Yes, this works.
Thanks